WhatsApp's End-to-End Encryption Turned Out to be a Sham? The Messenger Has Been Leaking Data About Our Phones to Hackers for Years
Meta Was Aware but Considered It "Not a Privacy Issue."
Meta Was Aware but Considered It "Not a Privacy Issue."
WhatsApp, owned by Meta, has long been a convenient entry point for cyberattacks. The messenger is used monthly by over 3 billion people, and this very audience makes it particularly attractive for distributing malware. While end-to-end encryption reliably protects message content, the service's multi-device mode features have, for years, allowed the extraction of technical information about a contact's devices. This data proved accurate enough to be used in the reconnaissance phase of attacks.
Any sophisticated cyberattack begins with reconnaissance. Before deploying an exploit, it is crucial for attackers to understand what device is on the other end. Sending an Android exploit to an iPhone is not only useless but also risky: the victim might notice suspicious activity and thereby thwart the operation. For professional groups, such a mistake carries far more serious consequences—from losing costly 0-day and 0-click vulnerabilities to exposing infrastructure and target lists.
Problems related to data leaks in WhatsApp were detailed earlier in 2024. At that time, researchers demonstrated that the messenger allows determining account configuration—specifically, how many devices are connected and which ones. The source of this leak lies in the architecture of end-to-end encryption when using multiple devices. Each recipient's device establishes a separate cryptographic session with the sender, and each such session uses its own keys. As a result, connected devices become distinguishable, enabling a third-party observer to infer the composition of that group.
It was later revealed that separate sessions could also be used for a more targeted scenario—selecting a specific device to attack. Instead of trying to "reach" the entire account, an attacker could target the desired device. In 2025, researchers went further and showed that, based on individual parameters of cryptographic keys, it is possible to determine not only a specific device but also its operating system. In other words, WhatsApp effectively allowed fingerprinting—identifying the target's platform.
The leakage mechanism turned out to be related to a standard service procedure. To establish a secure session, the sender requests cryptographic material from WhatsApp servers, which is generated on the side of each recipient's device. This is necessary to preserve the properties of end-to-end encryption; however, it is at this stage that differences in implementation across platforms manifested. Some key identifiers were created differently, and by these distinctions, it was possible to determine whether Android or iOS was being used. No action was required from the device owner—the request was executed invisibly and without any notifications.
The study's authors note that conclusions about such platform identification were also described in a separate 2025 academic paper. They confirm these results with their own observations using an internal tool that has not yet been published. Using it, they noticed a recent change in the logic of the Android version of WhatsApp. It concerns the Signed PK ID parameter: previously, it started from a zero value and increased very slowly—about once a month. Now, this value is selected randomly.
The researchers view this step positively, as Meta previously did not consider it a privacy issue requiring a fix. However, the vulnerability is not completely eliminated. It remains possible to distinguish Android from iPhone based on another parameter—One-Time PK ID. In iOS, it starts from a low value and gradually increases with an interval of several days, while Android uses random values across the entire 24-bit range. The scientists updated their tool to account for the new behavior and still distinguish between platforms.
The process of implementing the fix raised separate concerns. According to the authors, WhatsApp made changes without public notification, did not contact the researchers who first reported the issue, did not pay a bounty, and did not assign a CVE identifier to the vulnerability. They compare this situation to another case they previously reported to the messenger: a fix was issued then, a small bounty was paid, but CVE assignment was denied, citing insufficient severity of the issue.
The authors consider this approach mistaken. In their opinion, a CVE should not be viewed as a stigma or an admission of failure—it is a tool for documenting and discussing security and privacy issues. Differences in risk levels are more logically reflected through CVSS scores rather than by withholding an identifier entirely.
In the end, WhatsApp has indeed begun to reduce the amount of information that can be used for covert reconnaissance. The research community's efforts have not been in vain. However, the manner in which changes are implemented and the persistence of the ability to distinguish platforms show that the problem is being addressed gradually and without much transparency. This story vividly demonstrates that even with robust encryption, implementation details and metadata can play a key role in attack preparation.
